Nelson Elhage nelhage

## regdump.c
/*
 * $ gcc -m32 -fPIC -shared -o regdump.so regdump.c
 * $ LD_PRELOAD=$(pwd)/regdump.so ./test
 *
 * Dump register state with 'ud2a' (0F 0B)
 */

#define _GNU_SOURCE
#include <signal.h>
#include <stdlib.h>

## block.rb
def callblock (&block)
  block.call
  puts "block.call returned normally"
end

def yieldblock (&block)
  yield
  puts "yield returned normally"
end

## nopaste.txt
(require 'ido)
(setq ido-max-directory-size (* 256 1024)
      ido-enable-flex-matching t)

(defun chomp (str)
  "Chomp leading and tailing whitespace from STR."
  (while (string-match "\\`\n+\\|^\\s-+\\|\\s-+$\\|\n+\\'"
                       str)
    (setq str (replace-match "" t t str)))
  str)

## nopaste.txt
for o in $(find .git/objects -ctime -2 -type f);
  do o=$(basename "$(dirname "$o")")"$(basename "$o")";
  if [ "$(git cat-file -t "$o")" = "blob" ]; then
    if git cat-file blob $o | grep SOME-WORD; then
      echo ">> $o";
    fi;
  fi;
done

## nopaste.txt
Normally, this header is included in most HTTP requests (and
preserved across HTTP-level redirects), except in the following
scenarios:
â After organically entering a new URL into the address bar or
  opening a bookmarked page.
â When the navigation originates from a pseudo-URL document, such
  as data: or javascript:.
â When the request is a result of redirection controlled by the
   Refresh header (but not a Location-based one).
â Whenever the referring site is encrypted but the requested page

## nopaste.txt
    case 'G':
      if (! IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_CAPITAL_G_BEGIN_ANCHOR)) break;
      tok->type = TK_ANCHOR;
      tok->u.subtype = ANCHOR_BEGIN_POSITION;
      break;

// elsewhere
    case '^':
      if (! IS_SYNTAX_OP(syn, ONIG_SYN_OP_LINE_ANCHOR)) break;
      tok->type = TK_ANCHOR;

## make_yaml_safe.rb
# The fact that YAML.load will instantiate arbitrary ruby objects
# means that calling `YAML.load` on untrusted data is virtually always
# equivalent to executing arbitrary code in a complex app.

# This code fragment globally neuters YAML to disable this behavior,
# which should (hopefully) cut off all such attacks from the start.

# I don't promise this closes all possible attacks, but this closes
# off the trivial case.  You should audit and upgrade all your
# dependencies, as well.

## solve.py
import sys
sys.path.append("/tmp/Numberjack.0.1.10-11-24/local_lib")
from Numberjack import *
import Mistral

class Puzzle(object):
    def __init__(self, w, h):
        self.model = Model()
        self.width  = w
        self.height = h

## make_yaml_safe.rb
# The canonical version of this file lives at <https://gist.github.com/4507129>. Sorry for the redundant posts.

## nopaste
[nelhage@aeronautique:~/stripe/simmer]$ cat test.in
top5:sum:merchant       nelhage:1
top5:sum:merchant       nelhage:2
top5:sum:merchant       evan:1
sum:x   1
sum:x   2
sum:x   3
(GIT: master *=)
[nelhage@aeronautique:~/stripe/simmer]$ # bin/simmer -r localhost:6379 -f 0 < test.in
(GIT: master *=)
	/*
	* $ gcc -m32 -fPIC -shared -o regdump.so regdump.c
	* $ LD_PRELOAD=$(pwd)/regdump.so ./test
	*
	* Dump register state with 'ud2a' (0F 0B)
	*/

	#define _GNU_SOURCE
	#include <signal.h>
	#include <stdlib.h>
	def callblock (&block)
	block.call
	puts "block.call returned normally"
	end

	def yieldblock (&block)
	yield
	puts "yield returned normally"
	end
	(require 'ido)
	(setq ido-max-directory-size (* 256 1024)
	ido-enable-flex-matching t)

	(defun chomp (str)
	"Chomp leading and tailing whitespace from STR."
	(while (string-match "\\`\n+\\\|^\\s-+\\\|\\s-+$\\\|\n+\\'"
	str)
	(setq str (replace-match "" t t str)))
	str)
	for o in $(find .git/objects -ctime -2 -type f);
	do o=$(basename "$(dirname "$o")")"$(basename "$o")";
	if [ "$(git cat-file -t "$o")" = "blob" ]; then
	if git cat-file blob $o \| grep SOME-WORD; then
	echo ">> $o";
	fi;
	fi;
	done
	Normally, this header is included in most HTTP requests (and
	preserved across HTTP-level redirects), except in the following
	scenarios:
	â After organically entering a new URL into the address bar or
	opening a bookmarked page.
	â When the navigation originates from a pseudo-URL document, such
	as data: or javascript:.
	â When the request is a result of redirection controlled by the
	Refresh header (but not a Location-based one).
	â Whenever the referring site is encrypted but the requested page
	case 'G':
	if (! IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_CAPITAL_G_BEGIN_ANCHOR)) break;
	tok->type = TK_ANCHOR;
	tok->u.subtype = ANCHOR_BEGIN_POSITION;
	break;

	// elsewhere
	case '^':
	if (! IS_SYNTAX_OP(syn, ONIG_SYN_OP_LINE_ANCHOR)) break;
	tok->type = TK_ANCHOR;
	# The fact that YAML.load will instantiate arbitrary ruby objects
	# means that calling `YAML.load` on untrusted data is virtually always
	# equivalent to executing arbitrary code in a complex app.

	# This code fragment globally neuters YAML to disable this behavior,
	# which should (hopefully) cut off all such attacks from the start.

	# I don't promise this closes all possible attacks, but this closes
	# off the trivial case. You should audit and upgrade all your
	# dependencies, as well.
	import sys
	sys.path.append("/tmp/Numberjack.0.1.10-11-24/local_lib")
	from Numberjack import *
	import Mistral

	class Puzzle(object):
	def __init__(self, w, h):
	self.model = Model()
	self.width = w
	self.height = h
	[nelhage@aeronautique:~/stripe/simmer]$ cat test.in
	top5:sum:merchant nelhage:1
	top5:sum:merchant nelhage:2
	top5:sum:merchant evan:1
	sum:x 1
	sum:x 2
	sum:x 3
	(GIT: master *=)
	[nelhage@aeronautique:~/stripe/simmer]$ # bin/simmer -r localhost:6379 -f 0 < test.in
	(GIT: master *=)